Welcome to NBlog, the NoticeBored blog

Jan 8, 2019

NBlog Jan 8 - audit questions (braindump)

"What questions should an auditor ask?" is an FAQ that's tricky to answer since "It depends" is true but unhelpful.

To illustrate my point, here are some typical audit questions or inquiries:

What do you do in the area of X

Tell me about X

Show me the policies and procedures relating to X

Show me the documentation arising from or relating to X

Show me the X system from the perspectives of a user, manager
and administrator

Who are the users, managers and admins for X

Who else can access or interact or change X

Who supports X and how good are they

Show me what happens if X

What might happen if X

What else might cause X

Who might benefit or be harmed if X

What else might happen, or has ever happened, after X

Show me how X works

Show me what’s broken with X

Show me how to break X

What stops X from breaking

Explain the controls relating to X

What are the most important controls relating to X, and why is that

Talk me through your training in X

Does X matter

In the grand scheme of things, is X important relative to,
say, Y and Z

Is X an issue for the business, or could it be

Could X become an issue for the business if Y

Under what circumstances might X be a major problem

When might X be most problematic, and why

How big is X - how wide, how heavy, how numerous, how often ...

Is X right, in your opinion

Is X sufficient and appropriate, in your opinion

What else can you tell me about X

Talk me through X

Pretend I am clueless: how would you explain X

What causes X

What are the drivers for X

What are the objectives and constraints relating to X

What are the obligations, requirements and goals for X

What should or must X not do

What has X achieved to date

What could or should X have achieved to date

What led to the situation involving X

What’s the best/worst thing about X

What’s the most/least successful or effective thing within, about or without X

Walk or talk me through the information/business risks relating to X

What are X’s strengths and weaknesses, opportunities and threats

What are the most concerning vulnerabilities in X

Who or what might threaten X

How many changes have been made in X

Why and how is X changed

What is the most important thing about X

What is the most valuable information in X

What is the most voluminous information in X

How accurate is X …

How complete is X …

How up-to-date is X …

… and how do you know that (show me)

Under exceptional or emergency conditions, what are the
workarounds for X

Over the past X months/years, how many Ys have happened … how
and why

If X was compromised in some way, or failed, or didn’t perform
as expected etc., what would/might happen

Who might benefit from or be harmed by X

What has happened in the past when X failed, or didn’t perform
as expected etc.

Why hasn’t X been addressed already

Why didn’t previous efforts fix X

Why does X keep coming up

What might be done to improve X

What have you personally tried to address X

What about your team, department or business unit: what have
they done about X

If you were the Chief Exec, Managing Director or god, what
would you do about X

Have there been any incidents caused by or involving X and how
serious were they

What was done in response – what changed and why

Who was involved in the incidents

Who knew about the incidents

How would we cope without X

If X was to be replaced, what would be on your wishlist for the replacement

Who designed/built/tested/approved/owns X

What is X made of: what are the components, platforms, prerequisites etc.

What versions of X are in use

Show me the configuration parameters for X

Show me the logs, alarms and alerts for X

What does X depend on

What depends on X

If X was preceded by W or followed by Y, what would happen to
Z

Who told you to do ... and why do you think they did that

How could X be done more efficiently/effectively

What would be the likely or possible consequences of X

What would happen if X wasn’t done at all, or not properly

Can I have a read-only account on system X to conduct some enquiries

Can I have a full-access account on test system X to do some
audit tests

Can I see your test plans, cases, data and results

Can someone please restore the X backup from last Tuesday

Please retrieve tape X from the store, show me the label and
lend me a test system on which I can explore the data content

If X was so inclined, how could he/she cause chaos, or benefit
from his/her access, or commit fraud/theft, or otherwise exploit things

If someone was utterly determined to exploit, compromise or harm X, highly capable and well resourced, what might happen, and how might we prevent them succeeding

If someone did exploit X, how might they cover their tracks
and hide their shenanigans

If X had been exploited, how would we find out about it

How can you prove to me that X is working properly

Would you say X is top quality or perfect, and if not why not

What else is relevant to X

What has happened recently in X

What else is going on now in X

What are you thinking about or planning for the mid to long
term in relation to X

How could X be linked or integrated with other things

Are there any other business processes, links, network
connections, data sources etc. relating to X

Who else should I contact about X

Who else ought to know about the issues with X

A moment ago you/someone else told me about X: so what about Y

I heard a rumour that Y might be a concern: what can you tell
me about Y

If you were me, what aspects of X would concern you the most

If you were me, what else would you ask, explore or conclude about
X

What is odd or stands out about X

Is X good practice

What is it about X that makes you most uncomfortable

What is it about this audit that makes you most uncomfortable

What is it about me that makes you most uncomfortable

What is it about this situation that makes you most
uncomfortable

What is it about you that makes me most uncomfortable

…

Is there anything else you’d like to say

I could go on all day but that is more than enough already and I really
ought to be earning a crust! If I had more time, stronger coffee and thought it would help, I might try sorting and structuring that braindump ... but in many ways it would be better still if you did so, considering and revising the list to suit your purposes if you are planning an audit.

Alternatively, think about the questions you should avoid or not ask. Are there any difficult areas? What does that tell you?

It's one of those situations where the journey trumps the destination. Developing a set of audit concerns and questions is a creative process. It's fun.

I’m deliberately not specifying “X” because that is the vital context. The best way I
know of determining X and the nature of the questions/enquiries arising is risk analysis. The
auditor looks at the subject area, considers the possibilities, evaluates the
risks and picks out the ones that are of most concern, does the research and
fieldwork, examines the findings … and re-evaluates the situation (possibly
leading to further investigation – it’s an iterative process, hence all the wiggly arrows and loops on the process diagram).

Auditing is not simply a case of picking up and completing a questionnaire
or checklist, although that might be part of the audit preparation. Competent, experienced auditors feed on lists, books, standards and Google as inputs and thought-provokers for the audit
work, not definitive or restrictive descriptions of what to do. On top of all that, the stuff they discover
often prompts or leads to further enquiries, sometimes revealing additional
issues or risks or concerns almost by accident. The real trick to auditing is to go in with eyes, ears and minds wide open
– curious, observant, naïve, doubtful (perhaps even cynical) yet willing to consider
and maybe be persuaded.

No comments:

Post a Comment

Hot topic

NBlogger is ...

Dr Gary Hinson PhD MBA CISSP has an abiding interest in human factors - the ‘people side’ as opposed to the purely technical aspects of information security. Gary's career stretches back to the mid-1980s as both practitioner and manager in the fields of IT system and network administration, information security and IT auditing. He has worked and consulted in the pharmaceuticals/life sciences, utilities, IT, engineering, defense, financial services and government sectors, for organizations of all sizes. Since 2003, he has been creating security awareness materials for clients (www.NoticeBored.com) and supporting users of the ISO27k standards (www.ISO27001security.com). In conjunction with Krag Brotby, he wrote "PRAGMATIC security metrics" (www.SecurityMetametrics.com). He is a keen radio amateur, often calling but seldom heard by distant stations on the HF bands.